This post, however, is not about bug bounty programs. While a well-run bug bounty program is mandatory for maintaining top-tier security posture, this post is about the foundation on which bug bounty programs are built: the Vulnerability Disclosure Policy (VDP).

We first launched our bug bounty program in 2014, with initial bounties for critical bugs in the range of $5,000, ramping up to (currently) over $10,000 for critical bugs. Over the past three years, leading security researchers from around the world have participated in our programs with some amazing, often original research. Beyond just the individual bugs, we have learned many a lesson, uncovering unique, interesting threats, exploit vectors, and new research as well as rejigged our priorities based on the bug bounty reports. From Dropbox and all our users, a big THANK YOU to all the researchers that help secure Dropbox for our users!

Dropbox is recognizing security researchers for submitting security bugs through a bug bounty program with HackerOne and Bugcrowd. Whether you’re a security bug guru or a complete newbie, we want to make it as easy as possible to submit any bugs you find!

To this end, we’ve compiled the top 5 security bug report tips from our very own Security Engineers:

Build a stronger report by including information on the actual and potential impact of the vulnerability, as well as details of how it could be exploited.

Protecting the privacy and security of our users’ information is a top priority for us at Dropbox. In addition to hiring world class experts, we believe it’s important to get all the help we can from the security research community, too. That’s why we’re excited to announce that starting today, we’ll be recognizing security researchers for their effort through a bug bounty program with HackerOne.

Bug bounties (or vulnerability rewards programs) are used by many leading companies to improve the security of their products. These programs provide an incentive for researchers to responsibly disclose software bugs,

Please note: Sometimes we blog about upcoming products or features before they’re released, but timing and exact functionality of these features may change from what’s shared here. The decision to purchase our services should be made based on features that are currently available.